Email phishing is nothing new, but lateral email phishing is continuing to grow and evolve. Lateral phishing occurs when an attacker is able to compromise an internal email address and send phishing attacks. Because it looks like the email is coming from a trusted source, it can be hard for organizations to defend against it.
Today, Barracuda released a report that offers some insight into these evolving threats. The report, Spear Phishing: Top Threats and Trends Vol. 2 – Email Account Takeover: Defending Against Lateral Phishing, surveyed 100 organizations about their experience with lateral phishing.
“Email threats, including account takeover and lateral phishing, continue to evolve, and cybercriminals continue to find new ways to execute attacks, avoid detection, and trick users,” said Mike Flouton, vice president of email security at Barracuda Networks. “Staying ahead of these types of attacks requires an understanding of the latest tactics being used by cybercriminals and the critical precautions available to help defend your business.”
The company found that 1 in 7 organizations have experienced a lateral phishing attack over the course of a seven-month period. Of those that were attacked, over 60 percent experienced multiple attacks.
On top of that, 11 percent of attacks resulted in the attacker gaining access to additional employee accounts, the report found.
The hijacked enterprise accounts studied can be sorted into four categories:
- Account-agnostic: Attackers did not draw heavily on the relationship between the hijacked account and the target
- Targeted-recipient: Attackers selected victims based on the hijacked account’s recent or close contacts
- Organization-wide: Attackers sent phishing emails to a large group of employees at the company
- Lateral-organization: Attackers sent phishing emails to a group of employees at other organizations in the same industry
In addition, the email messages tend to rely on one of two deceptive narratives. One is a false claim of an issue with the target’s email account, and the other is a message that provides a link to a fake document. Sixty-three percent of attacks used generalized messages, 30 percent used refined messaged, and seven percent were highly-targeted messages.
Barracuda recommends companies defend against lateral phishing with security awareness training, advanced detection techniques, and two-factor authentication.